If your company falls victim to a breach to your network, or if an employee’s laptop is stolen, how “secure” are you that you won’t be exposed to the expensive costs of privacy regulation?
“A lot of people think that Internet liability exposure or exposure to violation of privacy laws doesn’t really affect them, when actually every business would be affected by a breach of their network security,” says Phil Coyne, vice president at ECBM Insurance Brokers and Consultants.
Many people and businesses think cyber liability exposure or violation of privacy laws does not or wouldn’t affect them, when actually just about every business could be affected in some manner.
Smart Business spoke with Coyne about what you can do to reduce your company’s exposure to privacy violations.
What kinds of companies are at risk for cyber liability or privacy violations?
Any business that uses a computer or network, uses e-mail, or has access to the Internet is at risk. If you hold client information on your network, or retain private employee information, your risk increases dramatically. Customers who rely on a business’s network, or who have information residing on another business’s network, can inherit exposure, as well.
What legislation and/or regulations could companies be subject to?
Among the federal laws and regulations is the GramsLeachBliley Act, which protects consumers’ financial information and how it is used by and protected by financial institutions. The Health Information Privacy Accountability Act (HIPAA) establishes requirements to protect individual health information. Payment Card Industry Data Security Standard PCI DSS establishes worldwide security standards in protecting customer account information. The Federal Trade Commission Act, Sarbanes-Oxley Act, The Fair and Accurate Credit Transactions Act, Red Flag Provisions and state cyber privacy laws can also come into play.
What are the Red Flag Provisions?
They are part of the Fair and Accurate Credit Transactions Act of 2003, Section 114. This provision requires companies to ‘detect, prevent and mitigate identity theft in connection with the opening of certain accounts.’ It specifically referenced banks, finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies and those in the health care industry.
The act requires that any business that has ‘covered accounts’ have a plan in place to help recognize the red flags associated with identity theft and fraud. The plan has to be a written plan that has had the approval of a board of directors or a committee from the board of directors that has senior management involvement. It must include training and oversight of the program.
What can companies do to reduce their exposure to these possible expenses and costs?
A company should do an audit of its network security systems and internal controls and include an audit of its vendors and its controls. However, even with the right controls in place you can still be exposed. You should also consider purchasing cyber liability coverage, due to gaps in traditional insurance of property coverage, general liability coverage and professional liability coverage.
What kind of coverage is available under a cyber liability policy?
The typical cyber liability policy provides coverage for claims from parties outside of your company that result from network damage, security breaches and privacy violations.
Examples of the types of losses covered under network damage include authorized users not having access to the system, service interruption of the network, unauthorized access and destruction of third-party information.
Examples of the types of losses under security breaches include failure of network to identify and authenticate party user, failure to properly secure data, failure to protect against virus and failure to defend against denial of service attacks. The privacy coverage is in place to protect against claims made for failing to comply with regulatory requirements regarding the privacy of individual and confidential information resulting in third-party claims and the expenses incurred to comply with the breach notification requirements.
What are the top sources of losses for cyber liability exposures?
The largest source of loss is from breaches in network security, with stolen equipment being the second-largest source. The most common types of equipment stolen are laptops or portable equipment that has the ability to retrieve sensitive and/or confidential information. The breach may be small, but even a small breach can be very costly in terms of the requirements of notification and monitoring services that must be offered.
What are the costs associated with a loss that could be covered under a cyber liability policy?
In a service interruption loss, the costs to remediate a company’s Web site and its contents, and the extra expense incurred to fix the company’s network and the loss of income could be covered. Costs associated with a data breach that could be covered include liability arising from privacy invasion suits, the costs to comply with privacy regulations regarding notification and to provide credit monitoring services to affected individuals, and the costs associated with the restoration of a company’s reputation. The costs associated with an Internet media loss could be copyright or trademark, libel or slander, and privacy invasion on a company’s Web site.
Again, while many businesses feel they do not have an exposure or have a small exposure to a cyber liability and/or privacy claim, with the way business is conducted today, every business is susceptible to a claim.
Phil Coyne is a vice president with ECBM Insurance Brokers and Consultants. Reach him at (610) 668-7100 or email@example.com.